Trusted Subject can violate the star property but not its intent n Strong * property – no reading or writing to another level 3. Discretionary Security Property – Uses Access Matrix to specify discretionary access control Discretionary access can be: n Content Dependent – access decisions based on data contained in the object data. n Context Dependent – access based on subject or object attributes to make these decisions (i.e. job role, earlier accesses, and file creation dates and times). Weaknesses of Bell-Lapadula n Does not address covert channels n Does not address modern systems that use file sharing and server n Does not define secure state transition n Based on multilevel security does not address other policy types Integrity Models Biba Integrity Model Integrity defined by three goals n Data protected from modification by unauthorized users n Data protected from unauthorized modification by authorized users n Data is internally and externally consistent. Biba Integrity Model n Developed in 1977 as an integrity add on to Bell-Lapadula n Lattice Based uses less than or equal to relation n A lattice structure is a set with a least upper bound (LUB) and a greatest lower bound (GLB) n Lattice represents a set of integrity classes (IC) and an ordered relationship n Lattice = (IC, , LUB, GUB) Integrity Axioms 1 The Simple Integrity Axiom - no reading of lower object from higher subject (No Read Down) 2 The * (star) Integrity Axiom – No writing from lower subject to higher object (No write Up) 3 A subject at a lower level of integrity can not invoke a subject at a higher level of integrity Clark-Wilson Integrity Model n Two elements: well formed transaction and separation of duties . n Developed in 1987 for use in real-world commercial environment n Addresses the three integrity goals n Constrained Data Item (CDI) – A data Item whose integrity is to be preserved

This
preview
has intentionally blurred sections.
Sign up to view the full version.

n Integrity Verification Procedure (IVP) – confirms that all CDIs have integrity n Transformation Procedure (TP) – transforms a CDI from one integrity state to another integrity state n Unconstrained Data Item – data items outside of the control area of the modeled environment n Requires Integrity Labels Information Flow Models n Each object and subject is assigned security class and value; info is constrained to flow in directions that are permitted by the security policy. n Based on state machine and consists of objects, state transitions and lattice (flow policy) states. n Object can be a user n Each object is assigned a security class and value n Information is constrained to flow in the directions permitted by the policy Non-interference Model Actions of group A using commands C are not seen by users in Group B using commands D Composition Theories When smaller systems are combined they must maintain the component system security properties McClean – defined internal and external compositional constructions n External Constructs n Cascading – one systems input is the output of another n Feedback – one systems output is input to another system and returned as input to the first system

This is the end of the preview.
Sign up
to
access the rest of the document.